The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak, which contains LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data, is almost certainly the largest ever discovered.
↫ Vilius Petkauskas at cybernews
Holy cow.
The bad thing about these leaks is they are massive.
The good thing about these leaks is also that they are massive.
With a 12TB archive over (possibly) Onion/TOR links, which will give you at best 50-100kb/s you’d need years to download the data. Even if you get 10mbits over TOR (very unlikely), it is 3.6 months of non-stop download (assuming nobody takes down the archives).
sukru,
I don’t think the article revealed the source, how do you know this was published through tor?
It’s more likely that they would be distributed via torrent, which will be a lot faster than this.
I’d be surprised if that was the distribution method as it makes it very difficult to retain control of the profit of the data
More likely its in nice segmented chunks in a data warehouse which is sold in batches.
Adurbe,
I could not find this particular leak (my “dark net skills” are not very good), but I had ran into other leaks in the past.
And they were either “wikileaks” style “journalistic” leaks that were freely available.
Or, on a Tor site with auction.
Given this has commercial value, yes, I had the expectation to have this distributed that way.
Unfortunately there’s not much for end users to do when the fault lies with the entities who collect and store their data. I was a victim of the home depot breach. The only thing you as a user can do is use unique credentials so that leaked doesn’t have value elsewhere, a practice I’ve used for a long time.
I checked the form and apparently this breach contains the account data from the osnews breach a few years ago. This is not newsworthy, but it’s interesting to see how these databases are getting repackaged on the dark web.
https://cybernews.com/personal-data-leak-check/
Tooling-wise, I’ve found this next site to be most useful. It supports catch-alls, gives you more information about the breach and lets you set up breach notifications. I got a notification for the linkedin breach before learning about it in the news, for example.
https://haveibeenpwned.com/
Best defense is to avoid create unnecessary accounts everywhere. The insistence on unnecessary information collected by every service and their cousins create a larger surface of attack than necessary.
Every now and then i go down every entry in my password manager and try to close as many accounts as i can get away with.
OR, hear me out, you poising the well. Evevery dumb account wants your
A) Address
B) Date of Birth
C) Email
There is no way for them to reliably and cheaply determine if you are lying about any of those ( gaming sites do, but its not cheap). The hard part is email, you can do it with some effort and some MX toolbox trickery, if needed. I’m not certain thats really needed, but can’t hurt.
So yeah “My” info is in there, kind of. Some of it might be real for sites I can’t avoid, but for the most part my details are fake.
Bill Shooter of Bul,
I agree, but sometimes the most sensitive information is financial data that can’t be faked (faking it might even be fraud). “Credit card numbers” and SSN are a travesty of data security in the age of crypto. It is objectively bad that we use them like we do despite far more secure technology existing in the modern age. Static numbers should be outlawed as means of authorizing anything, any company using them should automatically be liable for any unpaid debt no questions asked. We should be using cryptographically secure authentication & signing for everything and it should be done with federated vendor neutral technology.
I think the main reason credit card companies have failed to fix this is because even fraudulent transactions are profitable and their incentive is to keep fraud alive. Seriously this is absurd, but instead of deprecating notoriously (and obviously) insecure methods, they offload the costs of fraud to their merchants while charging another fee for it. This too should be outlawed, nobody should be profiting off of fraud, least of which the companies most responsible for facilitating it with unresponsively insecure numbers that are so easily leaked. It’s time we switch to using real crypto.
yeah those are tricky, don’t give them out unless absolutely needed. Don’t store them with the vendors if at all possible.
The hacks are no longer isolated, these are happening all the time and we really should be approaching these security threats with the presumption that the data will be accessed.
https://www.bleepingcomputer.com/news/security/global-fintech-firm-equilend-offline-after-recent-cyberattack/
The lesson we should all be learning isn’t merely that security is important, putting all our eggs in one basket is bad, etc, but also maybe not holding so much data in the first place. And when it really is necessary, making sure the leaked data isn’t technically useful in committing further fraud.
As a tech professional, it’s just frustrating to see so many companies, and prominent ones at that, continuing to use insecure methods. PKI has been around for decades, it’s disappointing that we’re not using it more effectively.
It’s great that companies are ostensibly securing networks, implementing “outer defenses” and whatnot, but when their networks are successfully hacked, that shouldn’t mean game over. Had they built up a PKI foundation internally it could continue to provide cryptographically robust protection ever after an intrusion. I’ve long advocated for this, but it never gains momentum and most businesses seem content to only implement perimeter security measures.
The real struggle is to get general population to follow digital sanitary rules… i dont have that answer….
gagol2,
Granted, I agree the general population should be better educated on data security. However most of these breaches demonstrate systematic failures at the industry level rather than failures at the population level. We should not be blaming the victims for breaches that are outside of their control or when they are instructed to use broadly insecure methods for service. Obviously reusing emails/passwords/etc can exacerbate the situation after a breach, but the breaches would happen regardless.
When it comes to sharing CC#/SSN/bank account #/etc, the fault lies with bad commerce practices that consumers are generally powerless to fix themselves.
Alfman,
True, but the cost for organizations to leak information is minimal. At best they will write a check for $3 per person, and sign people for 2 years of “identity protection service” (which is probably perpetual thanks to all the leaks).
Since there is no real accountability, there is no real reason to do more.
And, that leads to…
I would say this is not about “profitability”, but rather not caring. The cost of fraud is baked into the business pricing, and since cash already has a cost (similar or sometimes worse than credit cards), merchants do not care either.
Adding 3-5% to prices is not a large concern, if they can process transactions much faster. Someone coming up short on cash in register, or cash register being robbed (sometimes by employees) is a larger problem for them than occasional chargebacks.
sukru,
I do not agree. The merchants have been fighting exploitation by the credit card companies for years. A few years ago some merchants won some critical cases and consequently credit card prices got depegged from cash prices (equal prices had been contractually mandated). Now, at least in NYS, it’s normal for merchants (at gas stations, restorants, shops, food stands, etc) to impose a credit card surcharge in the amount of 5-10% due to the higher cost of doing business with CC. While I don’t like surcharges, I actually think this needed to happen. Prior to this all consumers were being forced to subsidize the noncompetitive credit card business model via hidden price increases to all consumers.. This was of course by design and created perverse incentives. By itemizing credit card fees, it gives consumers the right to choose whether to pay those credit card fees at all. As a result, it limits what credit cards companies can get away with.
Personally I’m happy to pay cash to omit the credit card surcharge until such time when credit cards become more competitive with cash prices. If people want to pay the credit card fees for the convenience, that’s their prerogative. But the important thing is that neither I nor the merchants are forced to subsidize it.
I think you need to reevaluate this view. Those who work with merchants know that’s not true. CC fraud is happening far more frequently than armed robbery. The number of chargebacks are estimated at 615M in 2021. Assuming an average $25 fee, that’s $15.4B in annual fees alone, but the true cost to a business is higher than this because the business can be out shipping, product costs, labor, etc.
https://www.bigcommerce.com/blog/chargebacks-justt/
So although these are just ballpark numbers, that’s around $147.6B lost annually.
I’ve personally seen what merchants can go through when fulfilling orders with credit cards. One of my clients contacted me to verify a suspicious order. Everything checked out – the credit card verification all passed and everything was technically in order. But, it was for something like 5 stereo systems, which was very unusual. As a merchant, do you ship it? If it turns out to be fraudulent, they’re not only out the charge-back fees, but thousands of dollars worth of products and shipping. They ended up declining the order. It may have theoretically been valid, but given how common credit card fraud is they didn’t want to take the risk. Had the order looked more normal, it would have never gotten flagged and they might have taken a loss in that case.
Anyway, I’d like you to appreciate just how precarious the fraud situation is for merchants. Accepting CC orders is a gamble. Credit cards are notoriously insecure and that has to be factored into any business that accepts them. The reality is that it’s consumers who are ultimately paying for this in the form of higher prices. This is one of the reasons merchants here are charging more to accept CC transactions over cash.
You don’t even know your data is shared.
There was a leak from Target, where the air conditioning service company’s credentials were used to access customer information.
And “First Initial” + “Lastname” + “Zip Code” can uniquely identify about 90% of people.
What are you going to do? Never shop online or in stores? Never use credit cards? Never use loyalty cards? Don’t go on the Internet?
Okay, maybe for older folks that were raised in the “analog” age, this might make sense.
But new generation are getting “Roblox cards” before they get a steady pocket money.
sukru,
Probably the best you can do as a consumer within the current flawed CC system that visa/mastercard/etc provide is to use one-time-use credit card numbers for everything…
https://www.nerdwallet.com/article/credit-cards/what-is-a-virtual-credit-card-number
Still, that credit card companies don’t have any way to securing transactions cryptographically in this day and age is inexcusable (although this makes sense when you look at their profit incentives as mentioned earlier).